Migrating to Specops uReset 8.0

Migrating from Specops Password Reset


Introduction

The Specops Authentication migration wizard can be used to migrate the enrollment data from Specops Password Reset (SPR) into uReset 8 and above. This allows SPR users to authenticate with O365, and manage password resets, with their existing SPR enrollment.

Pre-migration

  • Verify that users know their UPN (email format) names. To align with the standards used in Cloud solutions, older style usernames are not supported.
  • Rather than using “sAMAccountName” to identify users, Specops Authentication uses “User Principal Name” (UPN). It is recommended that the UPN is consolidated to match user’s email addresses. This makes it easier for users to remember their UPN during authentication.
  • Existing policies cannot be migrated automatically. You can create new policies from the uReset menu in the Specops Authentication Gatekeeper Tool.
  • The migration tool can only migrate Mobile Code and Questions and Answers. In order to migrate these across, you must have these identity services configured in your uReset 8 group policy.

Before you get started, you must meet the following requirements for a successful migration:

  • Specops Authentication customer account with the Gatekeeper Admin Tool installed and configured.
  • The scope where the SPR enrollment data resides, must be inside the Specops Authentication scope of management.
  1. From the Gatekeeper tab on the Specops Authentication Gatekeeper Admin tool, click Migrate from SPR.
    Alt text for this image
  2. Click Next.
  3. Select the Active Directory scope containing the SPR user enrollment data that you want to migrate across. For example: you might select the Users Organizational Unit, if it contains all the users you want to migrate.
    Alt text for this image
  4. Click Addand the scope will appear in the Selected Scopes box.
    Alt text for this image
  5. Click Next.
  6. Select your migration options:
    • Overwrite existing Specops Authentication enrollments: Migrate user enrollments for users that already have a Specops Authentication enrollment. Users that have already enrolled with Specops Authentication will have their entire enrollment overwritten. Identity Service enrollments cannot be merged with enrollments from SPR. Leaving this unticked will not update these users’ enrollments.
      Alt text for this image

    • Halt execution on errors: If you select this option, the migration will be stopped as soon as an error occurs. If this is left unselected, the migration will continue until all users have been migrated. Any errors will be visible in the Event Log in the Gatekeeper afterwards.

    Alt text for this image

    • Specify the Active Directory attribute name that is used to store mobile numbers of users that exist.

    Alt text for this image

    Tip: If you do not want the mobile data to be migrated across from SPR to Specops Authentication, you can specify an attribute that is not used instead, and the mobile data will be omitted.

  7. Click Next.
  8. Your pre-migration overview will be displayed, such the number of users, enrollments, and the Active Directory scope you have selected.
    Alt text for this image
  9. Click Next.
  10. Your post-migration overview will be displayed. Click Finish.
  11. Click Finish to start the migration.

Note: The migration wizard will appear in the Gatekeeper Admin Tool user interface if the SPR service connection point exists in Active Directory. To remove the Migrate from SPR button from the interface, run the following command in PowerShell, and remove the listed objects from Active Directory.

Get-ADObject -LDAPFilter “(&(objectCategory=serviceConnectionPoint)(name=Specops Password Reset))” |remove-adobject

Post-migration checklist

  • Ensure that the authentication policy for password resets in Specops Authentication matches the authentication policy used in SPR.

Install the Specops Authentication Client (version 7.12.18107.4 or later).

Migrating from Specops uReset 7.x


Introduction

This guide provides you with the necessary steps to migrate from Specops uReset 7.12 and earlier, to Specops uReset 8.0 and above.

Specops uReset 8.0 is an upgrade for Specops uReset 7.12, and comes with several improvements and new features. Unlike previous uReset upgrades, you cannot simply click the Check for new version link in the Specops uReset Administration tool and apply these changes, as Specops uReset 8.0 is an entirely new platform. To upgrade, you must:

  • Step 1: Install and configure the Specops uReset 8.0 platform.
  • Step 2: Sign up for a Specops Authentication account.
  • Step 3: Migrate your user and enrollment data across to Specops uReset 8.0.

STEP 1. Installing Specops uReset 8.0

More information on accessing the ADMX templates can be found in the Authentication client chapter, under Accessing the ADMX template. There you will find information on some of the registry keys the templates produce as well.

The registry keys created by the ADMX template can be found here: HKEY_localMachine\Software\Policies\Specopssoft\Ureset\Client

Before you can migrate your users and enrollments, you must download and deploy Specops uReset 8.0.

  1. Download the ADMX template for Specops uReset 8.0 here.
  2. Copy the ADMX template and the corresponding ADML file (you can find these in the c:\windows\policydefinitions) to the SYSVOL Central Store (if you want to make this available to more than one server) or copy it locally. The settings in this client ADMX template tells both clients to continue using the Specops uReset 7.12 instead of automatically redirecting to Specops uReset 8.0. This means you can continue using the old version unaffected, until you are ready to start migrating over.
  3. Create a computer GPO and apply it to all computers that will have the Specops Authentication client installed, and configure the following settings under the ‘General Client Settings’ section of the template. This step is critical in ensuring that your workstation clients are not directed to uReset 8.0, before you have completed configuration and migration.
    • the settings container from the uReset 7.12 Administration tool. The default location is under the System container in Active Directory. Example:CN=Settings,CN=uReset,CN=Specops,CN=System,DC=demo,DC=local
  4. Under the “Type of reset system” option select uReset.
  5. Save the new policy and apply it to all computers that have the Specops Authentication Client installed.
  6. Verify that the policy is being correctly applied to your client computers.
  7. Download the latest Specops Authentication client, here.
  8. Deploy the Specops Authentication client to all of your client computers. Older versions of the Specops Authentication or Specops uReset client will be replaced automatically.
  9. Install Specops Authentication. Installation instructions can be found here.
When you copy the ADMX template to your chosen location, it will override the existing template.

STEP 2. Signing up for a Specops Authentication account

This step should not be performed until the Client ADMX step (see above) has been completed.

Follow the instructions under the Create a customer account section, under Installation, to sign up for a Specops Authentication account.

STEP 3. Performing the migration

The Specops Authentication migration wizard can be used to migrate the enrollment data from Specops uReset 7.12 into Specops uReset 8.0. This will allow uReset users to verify their identities before resetting or changing their own passwords or recovering encryption keys via self-service or through the IT service desk, with their existing uReset enrollment.

Pre-migration:

  • When migrating to Specops uReset 8.0, the platform hosting the datacenter will change from Microsoft Azure, to Amazon Web Services.
  • Existing policies cannot be migrated automatically. You can create new policies from the uReset menu in the Specops Authentication Gatekeeper Tool.
  • Stylesheets utilizing Bootstrap 4 will require an upgrade.
  • Auditing, reporting, and user statistics has been significantly improved in Specops Authentication. Existing statistics from www.ureset.com will not be migrated.

From the migration wizard, you can migrate enrollment data for the following identity services:

  • Questions & Answers (Security Questions)
  • Mobile Code
  • Symantec VIP
  • Specops/Microsoft/Google Authenticator*
  • Specops Fingerprint Authenticator*
  • Mobile Bank ID
  • Facebook
  • Google (Gmail)
  • Live
  • Instagram
  • LinkedIn
  • Twitter
  • Flickr
  • Salesforce
  • Tumblr
The Duo Security identity service does not require migration. If Duo Security is enabled in the policy, all affected users will be enrolled with Duo Security on Specops Authentication.

* Before proceeding with migrating Specops/Microsoft/Google Authenticator or Specops Fingerprint, please contact support.

Requirements for successful migration

Before you get started, you must meet the following requirements for a successful migration:

  • Specops Authentication customer account with the Gatekeeper Admin Tool installed and configured.
  • The scope where the Specops uReset enrollment data resides must be inside the Specops Authentication scope of management.

Migrating

  1. From the Gatekeeper tab on the Specops Authentication Gatekeeper Admin tool, click Migrate from uReset.
  2. Click Next.
  3. Select the Active Directory scope containing the uReset user enrollment data you want to migrate to Specops Authentication, and click Next.
  4. Enable your migration options:
    • Overwrite existing Specops Authentication enrollments: Migrate user enrollments for users that already have a Specops Authentication enrollment. Users that have already enrolled with Specops Authentication will have their entire enrollment overwritten. Identity Service enrollments cannot be merged with enrollments from uReset. Leaving this unticked will not update these users’ enrollments.
    • Halt execution on errors: Stops the migration as soon as an error occurs. The migration must be restarted on errors. If this is left unticked, the migration will keep going until all users have been migrated. Any errors will be visible in the Windows Event Log on the Gatekeeper afterwards.
  5. Click Next.
  6. Your pre-migration overview will be displayed. To continue, click Next.
  7. Your post-migration overview will be displayed. Click Finish.
  8. Click Finish to start the migration.

Updating users outside process GPO’s

For users with workstations who are regularly not part of process GPO’s (e.g. users working from home), some additional steps need to be performed.

  1. Copy the registry keys generated by the ADMX template (more on ADMX templates can be found here).
  2. Push the keys to the users in question using your desktop management tool of choice (e.g. Microsoft Intune), or by running a start-up script.

You are now ready to direct your users to uReset 8.0.

  1. Remove the computer GPO created earlier with the settings container override setting – your Specops Authentication clients will now default to using the new version automatically.
  2. Update any bookmarked URLs or GPOs with URL Override settings.

Why should you upgrade to the new platform?

Although Specops uReset 8.0 performs the same job as Specops uReset 7.12, it comes with several new features and enhancements. These are as follows:

  • Added support for following new identity services: Okta Verify, Ping ID, Trusted Network Location (location/IP based authentication), email verification, all of which support auto enrollment
  • Ability to select between a NA or EU data center for compliance purposes
  • Geo-location blocking to allow or disallow IP addresses or countries from accessing the service
  • Ability to add an MFA policy for password change
  • Multi-Gatekeeper support for fail over/redundancy
  • Updated IT service desk component (formerly known as user management) which includes a more streamlined authentication experience with a quick verification option, forced user verification and tracking/logging.
  • Updated Duo Security and Symantec VIP identity services for a more streamlined user experience and as quick verification options in the IT service desk component.
  • Support for displaying the Breached Password Protection rule during password change when using uReset and Specops Password Policy with the Breached Password Protection add-on. uReset MFA enrollments can be extended seamlessly to protect encryption key recovery when using uReset with Specops Key Recovery
  • Added support for more languages: Japanese, Portuguese, Simplified Chinese, Traditional Chinese, Polish, Korean and Czech

New Features, changes and improvements

This section highlights the differences between the two platforms. Certain elements have changed entirely and some have simply been moved and/or renamed.

URLs

The URLs in Specops uReset 8.0 differ from those found in Specops uReset 7.12.

Specops uReset 7.12 uses www.ureset.com (NA) and the login.ureset.com (EU). These URLs have been deprecated and each uReset web link now has a corresponding URL under login.specopssoft.com (NA) and eu.login.specopssoft.com (EU) instead.

The following screenshots are from environments hosted in North America.

URLs in Specops uReset 8.0:

The following URLs are found under the Gatekeeper tab in the Specops Authentication Gatekeeper Admin tool:

  • Admin Pages: This URL takes you to the administrative pages. Admins can configure various parts of the system. This includes:
    • Configuring enrollment/admin policies.
    • Configuring identity services.
    • Creating and deleting accounts.
    • Customizing parts of the Specops uReset 8.0 user interface.
    • Adding and removing Gatekeepers.
  • Enrollment: This URL takes you to the Enrollment page, where you must enroll in order to access the administrative pages, user management pages, and uReset.
  • User Management: This URL takes you to the User Management page, in which you can search for users, reset their passwords, and use uReset identity services to authenticate users. Helpdesk has replaced User Management in uReset 8.0.
Alt text for this image

The following URLs are located under the uReset tab in the Specops Authentication Gatekeeper Admin tool:

  • Reset Password: This URL takes you to a page in which you can reset your password.
  • Change Password: This URL takes you to a page in which you can change your password.
Alt text for this image

URLs in Specops uReset 7.12:

In Specops uReset 7.12, the URLs are located under the uReset Gatekeeper tab, in the Specops uReset Administration tool.

Alt text for this image

Security Groups

Security groups in Specops uReset 8.0:

Specops uReset 8.0 comes with new admin and user management related groups, that do not exist in Specops uReset 7.12. When you install Specops uReset 8.0, three new global groups are automatically created in your Active Directory. These groups fall under a single Security Groups category. You can edit the members of these groups directly in the Specops Authentication Gatekeeper Admin tool, by clicking the Active Directory Settings tab. These are as follows:

  • Admin group: All admins are listed in this group.
  • User admin group: All user admins are listed in this group.
  • Gatekeepers group: Your gatekeeper service account(s) are listed in this group.
Alt text for this image
The uReset ‘helpdesk’ has been renamed ‘User Management’ in Specops uReset 8.0.

Security groups in Specops UReset 7.12:

In Specops uReset 7.12, the various security groups are located under the Policies and Groups tab, in the Specops uReset Administration tool, and are separated out into different categories (Active Directory Settings, Helpdesk users, Administrators).

Alt text for this image

Policies

Policies in Specops uReset 8.0:

In Specops uReset 8.0, policies are tagged in the Specops Authentication Gatekeeper Admin tool (on premises component) but configured in Specops Authentication Web (cloud component).

You can use the same GPOs in Specops uReset 8.0, that you used in Specops uReset 7.12. To tag a GPO:
  1. Open the Specops Authentication Gatekeeper Admin tool.
  2. Click the uReset tab.
  3. In the GPOs tagged for uReset section, click the Tag GPOs link.
  4. Select a policy from the list.
  5. Click OK.
  6. The policy will appear in the list.
Alt text for this image

Policies in Specops uReset: 7.12

n Specops uReset 7.12, policies are configured in the Specops uReset Administrator (on premises component) and stored in SYSVOL.

Removed features and ID services

Changed features
  • The secret questions identity service is now configured globally instead of per policy.
  • Enrolled users report.
Removed identity services
  • Amazon
  • Box
  • Instagram
  • Salesforce
  • Yahoo

Customizing the uReset user interface

As with Specops uReset 7.12, you can customize various parts of the Specops uReset 8.0 landing page. However, which parts that can be customized differs slightly from uReset 7.12. To access the customization features, go to the Customization menu. The following aspects of uReset 8.0 can be customized.

Changing the main logo

The logo at the top left of the page, both in Authentication Web and the Authentication Client, can be changed to match your requirements.

  1. Click Browse and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image.

To revert to the default image, click Default.

Main logo image specifications

The following specifications apply to the main logo image:

  • Supported file types: png, gif, jpg.
  • Maximum file size: one megabyte (1 MB).
  • Transparency in png images will be rendered as expected, with the background color showing through the transparent parts.
  • Image will be rendered with a height of 40 pixels.
    • Aspect ratio of the uploaded file will always be kept intact.
    • Images with a height less than 40 pixels will be scaled up to 40 pixels. The quality of the rendered image will decrease.
    • Images with a height above 40 pixels will be scaled down to 40 pixels. Quality is not necessarily affaected.
    • For the best results, use an image width with a height of exactly 40 pixels and a width that is no greater than 300 pixels. If the image is too wide, there won’t be sufficient room to render the menu items in the header.
Changing the login image

You can also change the image on the login page that is presented to users.

  1. Click Browse and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image. The image will appear at the top left of the page.

To revert to the default image, click Default.

Login image specifications

The specifications for the login image are the same as for the logo (above), except for the size. The login image has a maximum width of 235 pixels. Images less than 235 px wide will be scaled up (which will decrease the quality of the image), and images more than 235 px wide will be scaled down. The aspect ratio of the original image will always be kept in the rendered image.

Changing the colors

Various colors in the interface can be change to match your comapny’s look and feel. The colors that can be changed are:

  • Page background (page’s main content area)
  • Menu background (top and side navigation)
  • Sign-in background (login page)
  • Default button (primary buttons)
  • Secondary button (buttons such as Cancel etc.)
  • Information box background (textboxes with additional information)

To change the color:

  1. Select the checkbox next to the color you want to change.
  2. Select the color you want to use:
    • Click the color-picker icon and select the color you want, then click OK.
    • Enter the HTML color code (hexadecimal color code) in the text field.

To revert to the default color for all elements, click Default.

Changing the texts

Various texts that are presented to the user in messages and notifications can also be changed.

  1. Select the language you want to make changes to in the Language drop-down.
  2. Click the text element you want to change, for example Enroll_Completed_Header.
  3. Select Use custom.
  4. Enter the text you want to use in the Custom text field and click Save. The Customized column in the list will now show a checkmark at the text element you changed, while the Customized value shows the new text.

To revert to the default text, click the text element, and select Use original, then Save. This will delete the custom text. Note that only deleting the custom text will not revert the text element to the default state (instead, the text field will then be blank).

Text label Description Default text
Enroll_Completed_Header Header for page shown when users have met the weight requirements, with option to continue or end enrollment process. All done!
Enroll_Completed_Message Information text for page shown when users have met the weight requirements, with option to continue or end enrollment process. You have collected enough stars for your enrollment. Feel free to improve you enrollment information by collecting more stars.
Enroll_CompletedCompleted_Message Text on final page of enrollment process. You have completed the enrollment, you can now close this browser and move on with your day.
Enroll_Edit_Help Text on identity services page when users has opted to make changes to an already complete enrollment. Add or change identity services from the lists below. Make sure your star bar is still full after the changes.
Enroll_Help Text on identity services selection page during enrollment. Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Enroll_Index_Message Text displayed when user switches between services to enroll for (e.g. Admin, User Management etc.) You can enroll for multiple services. Select which service to enroll for. You can also make changes to a completed enrollment.
Enroll_Introduction_Header Header on the first page of the enrollment wizard (before entering password) Enrollment Reminder
Enroll_Introduction_Message Text on the first page of the enrollment wizard (before entering password) You are required to enroll for the Password Reset service. Press the button below to start the enrollment wizard.
Error_Mfa_UserHasNoPolicy_Message Error message text displayed when a user who does not have a policy configured tries to sign in. No policy has been configured for you for this service.
Error_Mfa_UserHasNoPolicy_Title Error message title displayed when a user who does not have a policy configured tries to sign in. You cannot enroll for this service
Mfa_Menu_Message Text on identity services selection page during login. Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Mfa_NotEnrolled_EnrollmentMissing_Header Header displayed when a user is not enrolled with uReset and tries to reset their password. Enrollment missing
Mfa_NotEnrolled_IsuReset_Information Text displayed when a user is not enrolled with uReset and tries to reset their password. You cannot reset your password because you have not enrolled for the reset password service.
Password_Complete_Message Text on final page for a password reset or password change. Your password has been changed! If using a Windows computer, it is recommended to sign-out and sign-in again with your new password. Also, don't forget to update to your new password in for example the email app on your phone, if necessary.
Password_CompleteSecureBrowser_Message Text on final page for a password reset or password change that started from the Windows identity password view. Your password has been changed! Don't forget to update to your new password in for example the email app on your phone, if necessary.
Password_Instructions_Message Text displayed above password rules when performing a password change or password reset.
Password_Instructions_Mobile_Header Clickable text displayed on small devices to expand the password instructions, above the password rules when performing a password change or password reset. Show instructions
SkipCredentialScreening_UserName_Label Text displayed when a user enters their username during sign-in. Username
UserManagement_SearchInformation Text displayed on the User Management start page. Use the search box to find users. You can search by account names, email addresses or users' real names.
WindowsIdentity_UserName_Label Text displayed when a user enters their password during sign-in. Username
Alt text for this image
Alt text for this image

Licensing

Licenses are managed by the Specops team, which means a physical license key is not required. You can create your customer account using a known domain/contact here. The Specops team can then associate it with your existing Specops uReset 7.12 subscription license.